Jump to content

Anti-Virus Check

Guest Digi

By Guest Digi
in Feedback

Recommended Posts

Digi Explorer

Digi

Posted
Posted

This is a topic for feature expansions to the IPB Anti-Virus Check. Feel free to post your other suggestions here :)

My suggestion is that the anti-virus check has an option added to mark a file safe. For instance, we are running the ineo RC and the scan comes back saying that the language file for this component is possibly a virus file, though it has a low score of 4. I can just imagine what a pain it would be to look at this page once an admin has installed multitudes of modifications or components to their site.

The biggest down-side to this would be that it would make it easy, for those that are able to infect a site, to mark themselves as "safe" by running a query into the "safe" table. I'm not quite sure of a good way to keep this from happening atm, but...my brain is a bit fried today :P

Perhaps someone else can thing of something.

Regards,

Digi

Link to comment
Share on other sites
  • Management
Matt Grand Master

Matt

Posted
  • Management
Posted

I thought about this but decided against it because, as you say, if someone gets ACP access they can just add a list of "safe" files in your DB via the SQL toolbox and you'd never know about it.

Of course, you could say "IPB found 10 files marked as safe" but unless you can remember exactly how many safe files you should have it's pointless.

Link to comment
Share on other sites
Luke Mentor

Luke

Posted
Posted

If it doesnt do this already, I would like to see it pull a list of "known files" from the ips server rather than from a "known files" file. That way if there are any more of these files IPS can easily update the list of "known file names". A lot like how anti-virus's download definitions from their servers.

Also the "safe files" thing doesnt have to be saved locally, but could be rather saved under your license. Be able to view the files in the client center under each license. And when you're using the tool under IPB, you have to type in your client user id and password to update it. Without that, you cant do it.

Link to comment
Share on other sites
Digi Explorer

Digi

Posted
Posted

I don't ever expect this to happen in relation to this tool, but I really like the idea of having a server hosting the relationship of all files reported by users as good, bad, etc. That is kind of what MS did with windows defender and the "spynet community". It might also help IPS better rate some of the more common files to the installs of any ips product (including rating those that are most commonly attacked in hacks higher with the scan), not to mention popular modifications that add new files and so on.

Second to that I think that storing them in a cookie would be another great idea. However, the ACP doesn't even use cookies for anything in there at the moment does it? What could the side-effects of this be?

Link to comment
Share on other sites
n-k Apprentice

n-k

Posted
Posted

How about checking the md5sums of all php files on the server against an external database? Right now, it looks like the virus scan will only find new files and will ignore files that have been modified.

Link to comment
Share on other sites
bfarber Grand Master

bfarber

Posted
Posted

The thing is, the more things that need to check against something remote (presumably hosted on our servers), the more bandwidth and maintenance and problems can occur. :)

Not to say it's not possible or not something to consider - but what if our site is done, for example, or we move a file somewhere.

Link to comment
Share on other sites
Dark Phantom Newbie

Dark Phantom

Posted
Posted

Why can't you just list the filename's that you mark as safe.

I know, at least in my case, that I could remember any files I marked as safe and would notice something new. Could also add the date it was, added to the list, would allow you to see "recent" modifications to the list itself.

Of course the simple solution is don't get hacked, which the only way I believe is possible, is not to use modifications.

Link to comment
Share on other sites
n-k Apprentice

n-k

Posted
Posted

The thing is, the more things that need to check against something remote (presumably hosted on our servers), the more bandwidth and maintenance and problems can occur. :)



Not to say it's not possible or not something to consider - but what if our site is done, for example, or we move a file somewhere.


I have no idea how many active IPBs there are, but since most admins would only do this scan once every few weeks, I don't think the strain on your servers would be too big - after all, you could just put the data into a plain text file that is then downloaded and parsed by the software...
I don't really understand what you mean by "but what if our site is done, for example, or we move a file somewhere". If you want to use another server, couldn't you just make your server redirect old versions with a 301 and change the url in the next version?


Something else about the virus check:
In my opinion, the current integration into the ACP has one big problem: When a hacker finds a way to change files on the server, what is stopping him from changing the virus scanner itself?
I think it would be better to offer a stand-alone PHP file, seperate from the IPB, that users can upload as needed. Maybe you could even include the md5 hashes in that file, so there wouldn't be any problems with using your servers.
Link to comment
Share on other sites
  • Management
Matt Grand Master

Matt

Posted
  • Management
Posted

Why can't you just list the filename's that you mark as safe.



Because no files names are safe. If we labelled all standard IPS files as safe, the hacker would just name the shell file "lang_blog.php" and you'd never know about it.

How about checking the md5sums of all php files on the server against an external database?



That's a lot of overhead. We'd have to maintain a list of all files for all versions and all patches. Plus, a single edit will mark it as changed and it'd just be flagged as modified.

The more complicated you make this tool the more angles the hacker has at disguising his shell scripts without your knowledge.

It takes maybe 2 minutes to scoot through the list to determine if anything looks out of place and you can click each file to see what it loads.
Link to comment
Share on other sites
Digi Explorer

Digi

Posted
Posted

I agree Matt. However, a lot of users just do not know what is going on on their servers....if they can't even figure out chomod, what makes you think they will be able to understand the reatings of good and bad files?

I think this one got over looked :P

I don't ever expect this to happen in relation to this tool, but I really like the idea of having a server hosting the relationship of all files reported by users as good, bad, etc. That is kind of what MS did with windows defender and the "spynet community". It might also help IPS better rate some of the more common files to the installs of any ips product (including rating those that are most commonly attacked in hacks higher with the scan), not to mention popular modifications that add new files and so on.



Second to that I think that storing them in a cookie would be another great idea. However, the ACP doesn't even use cookies for anything in there at the moment does it? What could the side-effects of this be?

Link to comment
Share on other sites
Digi Explorer

Digi

Posted
Posted

Actually, none of the core fies were ever modified as they aren't usually set to writeable except by user error. As such, the virus tool would be just as safe as index.php (which wasn't targeted by any of the latest attacks).

Link to comment
Share on other sites
n-k Apprentice

n-k

Posted
Posted

Actually, none of the core fies were ever modified as they aren't usually set to writeable except by user error. As such, the virus tool would be just as safe as index.php (which wasn't targeted by any of the latest attacks).


Aren't there some files that have to be set to 777, though? Like the config file or the cache directory.
Link to comment
Share on other sites
Digi Explorer

Digi

Posted
Posted

Yes, but this isn't what was being pointed out in the previous post. They were trying to say that hacker would be able to change the file checker to ignore their files. Which, as it is set up, would not happen.

Link to comment
Share on other sites
super.smash.brothers Explorer

super.smash.brothers

Posted
Posted

For the filters, how about sorting the files based on the filters.

Show All filter will list the file alphabetically by folders then files.
Show score x or more will list the files by score ascending.
Show files larger than 55k will list the files by size with the largest first.
Show files modified in the last 30 days will list the files with the last file being editing first.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...